måndag 1 december 2014

RIG Exploit Kit - Shellcode analysis

Brad published a traffic analysis exercise which I had a quick look at and felt that I wanted to take it to the next level so I started looking at how to decode the payload delivered by the exploit kit.

I get the shellcode from the Flash exploit as it's provided as a hex-encoded string starting with "90909090" (NOP):

An easy way to go is to create an executable from the shellcode utilizing Shellcode2Exe to be able to step through it in OllyDbg.

Taking the step into shellcode
Loading it up in Olly, it will start with a loop which decodes the payload URL using XOR as seen below. The key can be found by inspecting ESI when first hitting the loop and the encoded data can be found by inspecting EDI.
After decoding:
The decoding loop will continue until the decoded byte is "!" (0x21), the reason will be explained later in the post under "Multiple payloads".

The shellcode uses URLDownloadToCacheFileA to download the payload. Should the payload be successfully downloaded, it will be opened with CreateFileA and read with ReadFile into memory allocated using VirtualAlloc.

After reading the file it will be decrypted using RC4 cipher with a key defined in the shellcode. I recommend reading the post from VRT on how to recognize RC4 when debugging. This is the function found in the shellcode:
Inspecting EDI when hitting the above lines it's found to have the following content:
EDI is pointing to the first byte of the key and EBP holds the key length which is 5 giving the key m3S4V.

At this point it's possible to let the shellcode run until CloseHandle is called and the decoded payload has been written back to disk or write a script for decoding the payload extracted from the PCAP. A small implementation of the RC4 cipher can be found here (Python).

Multiple payloads
What is the most interesting thing about the shellcode is that it carries more functionality than isn't used. The shellcode is used to download one payload, but the shellcode supports multiple payloads.

After calling CreateProcessA, the shellcode will step through the recently used URL looking for the end of the string (0x00), and comparing the next byte with "!" (0x21). If it's true, the shellcode will end otherwise it will start over with a new payload.
An example of URL-list would look like this:

Conclusion of sorts
RIGs shellcode have the capability to download and execute multiple payloads which are encrypted using RC4 (5 byte key). The URL-list is encoded using XOR (5 byte key).

API-calls used in the shellcode (in order of first call):
- LoadLibraryA
- URLDownloadToCacheFileA
- CreateFileA
- VirtualAlloc
- ReadFile
- SetFilePointer
- WriteFile
- VirtualFree
- CloseHandle
- CreateProcessA

You can find the hex-encoded shellcode on [pastebin].

Inga kommentarer:

Skicka en kommentar